According to Access, an international NGO that helps advocate for digital rights, “if a single one of the 650 public certificate authorities (CAs) that your systems support, by default, is compromised the entire system is compromised - so keeping 100% of the CAs at 100% compliance and 100% impervious from zero-day attacks is a very hard problem indeed.” I’d add, especially when you don’t control them.
As breaches have sadly become a regular occurrence, the different incidents seem to be turning into a blur. What might be shocking then is that the reality is most breaches actually go unnoticed, and even unreported, because many believe that these breaches are not considered newsworthy. According to the Electronic Frontier Foundation, public CAs are revoking approximately 50,000 certificates a month - unbelievable.
Preparing and responding for a CA breach has to be a priority. However, no one said it’s going to be easy. With several recent breaches, I believe it is important to learn and apply some practical lessons.
So what lessons, if any, can we learn and apply to the challenges we face from cyber-terrorism?
1) Too much information:
We all suffer from information overload. Many of us add to this deluge by subscribing to news-feeds, twitter, and various other information sources that effectively drown us in words. In addition we all receive “junk mail” from a variety of sources. And many of us - myself included - regularly contribute to the “essential reading” that you receive.
The problem is, amongst all this ‘noise’, is hidden a vital piece of information. Take the time to at least skim messages instead of just deleting them. You never know what might catch your eye, and give you an early warning.
2) There are bigger problems:
The problem with a ‘to do’ list is that it’s never, or very rarely, finished. Sound familiar? However, with many people feeding into fix lists it’s always easier to deal with the person shouting the loudest while someone who isn’t clamouring for attention, but could have the bigger issue, gets forgotten. Another common problem is the person prioritising the items doesn’t fully understand the implications of the risks.
For example, those responsible for PKI and security have at best an “arm’s length” relationship with their IT colleagues, and as a result have little or no appreciation for the challenges that IT face. On the other had IT regards security teams with suspicion, and often are preoccupied with the suspicion that security just wants to take over responsibility.
This requires action by senior management at the CIO, CSO, CFO, CTO level to ensure that different groups cooperate rather than compete.
3) Management need to be kept aware and take responsibility:
‘Buck passing’ is a frequent past-time in many organisations, especially if someone isn’t willing to stand up and take responsibility - or feel that they can. All too often the security team does not feel empowered to bring information to the management’s attention, or no mechanism exists to inform the CIO of risks that might affect the business. On the other hand CIOs are frequently more concerned about not spending money, and keeping the board happy, than giving their “troops” the support and resources they need. If this sounds familiar then perhaps it’s time it didn’t.
4) Pay attention and act on new clues - regardless of the source:
In the IT industry there is not a day that goes by when we are not being alerted about yet another risk. However it is questionable how seriously organisations take alerts that may relate to Iranian nuclear facilities, or breaches of databases in Japan, etc.
Just because you may not have used Diginotar certificates, or Digicert Malaysia was not on your list of preferred suppliers, does not mean that you’re not the next victim. Every single Windows device has been affected by Flame and no one saw that coming.
5) Denial and retribution:
Bottom line is somebody has to pay, and when your business’ reputation and earnings are affected by severe failure in your IT infrastructure, then someone will pay. Corporate senior management expect that those who are paid to fulfil a specialist role can do so effectively. There are not many CSOs or IT Security Directors who can expect to survive a digital certificate compromise or a certificate authority (CA) compromise on the basis of “there were no warning signs”.
6) You never know when it will hit you:
Just like a boy scout - you need to be prepared. If you wake up tomorrow and discover that your internal and/or external CA had been completely compromised, would you have a clear action plan. Likely not, and I’m sure that should you get the opportunity to be in a similar position in your next organisation that you’d be better prepared the next time around.
7) Get serious about the risk:
Your infrastructure security is under attack, and your keys, certificates and CAs are a primary target. Those attacking you understand that you have ignored this area, and that enterprise key and certificate management has generally been forgotten about. Your enemy is exploiting your ignorance, and unless you get control of your CAs, they will get you.
Because keys and certificates are so broadly relied upon to secure systems and data in all organisations (commercial and government), a CA compromise can have disastrous effects. Recent events— such as Flame, Stuxnet, and Duqu— have shown that hackers are targeting CA compromises as a strategic tool in their attacks. You need to understand the risks, and educate your organisation, and that means all stakeholders, so that you are prepared for, and can respond to a CA compromise. Otherwise your bright future may be overshadowed by your less than perfect reputation
Posted by Calum MacLeod EMEA Director of enterrpise security key management provider Venafi.